What is PSD2 ?
The revised Payment Services Directive (EU 2015/2366 PSD2) aims to reduce fraud while opening up payment markets to new entrants. Increasing security standards is a key part of PSD2 and the associated European Commission delegated Regulation (EU 2018/389). The deadline for compliance with Strong Customer Authentication (SCA) as set out in EU law was initially 14 September 2019.
In response to industry concerns about the readiness to apply SCA to e-commerce transactions and to minimise potential disruption to consumers and merchants, the European Banking Authority (EBA) accepted that the Central Bank of Ireland and other EU National Competent Authorities give limited additional time for firms to implement SCA for e-commerce transactions.
Accordingly, the new Central Bank of Ireland deadline for compliance with SCA for electronic commerce card-based payment transactions is 31 December 2020.
PSD2 and Stronger Authentication
The main goal of PSD2 is to open the payment ecosystem, allowing for new technologies that aim to simplify online payments or transfers. However, another aspect of the policy is to address concerns about rising costs of fraud for online financial transactions by mandating stronger customer authentication.
Strong Customer Authentication (SCA) mandates the use of Two-Factor Authentication for all transactions above 30 Euros. These transactions will need to be authenticated using at least two of the following three factors:
Something that only the customer knows. For example, a password, PIN, or response to a security question. Card data (e.g., card number, CVV, or expiry date) is not considered a valid knowledge factor.
Something that only the customer has. For example, a mobile phone.
Something that the customer is. For example, a biometric such as a fingerprint.
Next steps for your business
The good news is your platform is ready to switch over to PSD2. All that you need to do is contact your credit card provider and ask them to switch you over to 3D Secure Version 2.
You may already be on 3D Secure version 1 so the switchover should be seamless – or they may have already switched you over to version 2 without telling you.
If they have not, ensure that you put through a test order after they switch you over and that you monitor orders closely for a while after.
And if you are with Global Payments (Realex) or Elavon, please lookout for the “Extra concerns” listed below.
If you have any concerns please email the team at Helpdesk@magico.com
Extra concerns regarding Global Payments (Realex) & Elavon
For the 3D Secure V2 integration for Global Payments (Realex) and Elavon, they do extra validation on the details transferred across to them on the credit card entry screen – including requiring some mandatory billing details about the customer.
Therefore, we have turned on the “Enter Billing Details” screen for you and also made the “Post Code” mandatory – as these are mandatory fields required by Global Payments and Elavon. We also strip out all non-numeric characters for the phone number before passing it over to them.
However, we have not tested these for every different live environment scenario (e.g. orders from foreign countries, etc) and the user could be shown an error like the following on the checkout screen which will not make too much sense for them in that they may not be able to understand that they have to click “I’d like to use a different cardholder address” and then enter a post-code. So please look out for these issues reported by customers and send them through to the Help Desk for us to try and fix them. Our approach for fixes to these scenarios is to try and catch these validation errors earlier in the checkout process when they are being entered by the user.